CVE-2026-48527

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions up to and including 26.0.0 are affected by a stored cross-site scripting XSS vulnerability in the /system/api/saveNode endpoint. An authenticated user with a permission to edit pages can bypass the HTML sanitizer by...

CVE-2026-48527

HAX CMS (PHP/NodeJS backends) is affected up to version 26.0.0 by a stored XSS in the /system/api/saveNode endpoint. An authenticated user with page-edit permissions can bypass the HTML sanitizer by injecting an event handler attribute without whitespace before the attribute name. Affected compon...

EUVD-2026-13369

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Prior to versions 7.15.1 and 8.9.3, the value of the returnid request parameter is copied into the value of an HTML tag attribute which is an event handler and is encapsulated in double quotati...

Mozilla Firefox and Firefox ESR Cross-Site Scripting Vulnerability

Mozilla Firefox is an open source web browser; Firefox ESR is an extended support version of Firefox. Mozilla Firefox and Firefox fail to properly handle the JavaScript event-handler attribute in the MARQUEE element, allowing remote attackers to exploit the vulnerability to build malicious web...